This procedure is useful when running honeypots to support CredSSP (using --auth ssp).
It requires Administrative privileges on the target server and the use of Mimikatz, so it assumes that you are able to deactivate the Anti-Virus on the target server.
WARNING: Cloning the certificate of the RDP server does not mean that the certificate will be trusted. Certificate trust requires a signed certificate from a CA that is trusted by the client. This is not likely to be the case in most scenarios. If you want to do that, you are on your own.
-
Turn off AV so mimikatz doesn't get flagged. (Or use excluded directory)
-
Download mimikatz latest release
-
Go to
Start > Run... > certlm.msc(optional) -
Identify the valid certificate under
Remote Desktop > Certificatesand note the thumbprint (optional) -
Export the Remote Desktop certificates using Mimikatz:
privilege::debug token::elevate crypto::capi crypto::certificates /systemstore:LOCAL_MACHINE /store:"Remote Desktop" /export -
Convert public key to
.pemusing openssl:openssl x509 -inform DER -outform PEM -in pubkey.der -out pubkey.pem -
Remove private key password (password for
.pfxis "mimikatz")openssl pkcs12 -nodes -in privkey.pfx -out privkey.key
NOTE: If
token::elevatedoesn't work. Make sure you are running mimikatz as SYSTEM (ie: underpsexec -s cmd.exe)
You can now run pyrdp-mitm by specifying -k privkey.key -c pubkey.pem and PyRDP will serve the same certificate as the server.
With the certificate and the private key, RDP servers with Network Level Authentication (NLA) enabled can be MITM.
Use --auth ssp to do that.